From 0ed7ce4219811d566d204128149ab043b608fc41 Mon Sep 17 00:00:00 2001
From: Bjorn <bjorn.tipling@conductorone.com>
Date: Sun, 24 May 2026 11:40:18 -0700
Subject: [PATCH] ci(pr-leakage): add caller stub for shared pr-leakage
 workflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

What: Add .github/workflows/pr-leakage.yaml that invokes the reusable
      pr-leakage-check.yaml hosted in ConductorOne/github-workflows on every
      pull_request opened, edited, synchronize, and reopened event.
Why:  config-validation — Public repos must not name a specific customer or
      expose internal service topology in a permanent world-readable
      artifact.

Refs: ConductorOne/github-workflows#85
---
 .github/workflows/pr-leakage.yaml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 .github/workflows/pr-leakage.yaml

diff --git a/.github/workflows/pr-leakage.yaml b/.github/workflows/pr-leakage.yaml
new file mode 100644
index 000000000..e869c9a36
--- /dev/null
+++ b/.github/workflows/pr-leakage.yaml
@@ -0,0 +1,18 @@
+name: pr-leakage
+
+on:
+  pull_request:
+    types: [opened, edited, synchronize, reopened]
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  check:
+    # Pinned to @main until the reusable workflow gets a tagged release; tracked as
+    # follow-up so this caller can pin to a stable ref.
+    uses: ConductorOne/github-workflows/.github/workflows/pr-leakage-check.yaml@main
+    with:
+      pr_number: ${{ github.event.pull_request.number }}
+    secrets: inherit